Class SSL.context

Inheritance graph
7.8::SSL.context 7.8::SSL.sslport
Description

Keeps the state that is shared by all SSL-connections for one server (or one port). It includes policy configuration, a server certificate, the server's private key(s), etc. It also includes the session cache.


Variable advertised_protocols

array(string) SSL.context.advertised_protocols

Description

List of advertised protocols using using TLS next protocol negotiation.


Variable auth_level

int SSL.context.auth_level

Description

Policy for client authentication. One of SSL.Constants.AUTHLEVEL_none, SSL.Constants.AUTHLEVEL_ask and SSL.Constants.AUTHLEVEL_require.


Variable certificates

array(string) SSL.context.certificates

Description

The server's certificate, or a chain of X509.v3 certificates, with the server's certificate first and root certificate last.


Variable client_certificate_selector

function(.context, array(int), array(string):array(string)) SSL.context.client_certificate_selector

Description

A function which will select an acceptable client certificate for presentation to a remote server. This function will receive the SSL context, an array of acceptable certificate types, and a list of DNs of acceptable certificate authorities. This function should return an array of strings containing a certificate chain, with the client certificate first, (and the root certificate last, if applicable.)


Variable client_certificates

array(array(string)) SSL.context.client_certificates

Description

An array of certificate chains a client may present to a server when client certificate authentication is requested.


Variable client_rsa

Crypto.RSA SSL.context.client_rsa

Description

The client's private key (used with client certificate authentication)


Variable client_server_names

array(string) SSL.context.client_server_names

Description

Host names to send to the server when using the Server Name extension.


Variable client_use_sni

int SSL.context.client_use_sni

Description

Should an SSL client include the Server Name extension?

If so, then client_server_names should specify the values to send.


Variable dh_params

.Cipher.DHParameters SSL.context.dh_params

Description

Parameters for dh keyexchange.


Variable dsa

Crypto.DSA SSL.context.dsa

Description

Servers default dsa key.

Note

If SNI (Server Name Indication) is used and multiple keys are available, this key will not be used, instead the appropriate SNI key will be used (the default implementation stores these in sni_keys.


Variable long_rsa
Variable short_rsa

Crypto.RSA SSL.context.long_rsa
Crypto.RSA SSL.context.short_rsa

Description

Temporary, non-certified, private keys, used with a server_key_exchange message. The rules are as follows:

If the long_rsa is not zero its public part will be sent. If it is zero and short_rsa is set, its public part will be sent instead. If they are both zero, no server_key_exchange message is sent.


Variable max_sessions

int SSL.context.max_sessions

Description

Maximum number of sessions to keep in the cache.


Variable preferred_auth_methods

array(int) SSL.context.preferred_auth_methods

Description

For client authentication. Used only if auth_level is AUTH_ask or AUTH_require.


Variable preferred_compressors

array(int) SSL.context.preferred_compressors

Description

Always ({ COMPRESSION_null })


Variable preferred_suites

array(int) SSL.context.preferred_suites

Description

Cipher suites we want to support, in order of preference, best first.


Variable random

function(int:string) SSL.context.random

Description

Used to generate random cookies for the hello-message. If we use the RSA keyexchange method, and this is a server, this random number generator is not used for generating the master_secret.


Variable require_trust

int SSL.context.require_trust

Description

When set, require the chain to be known, even if the root is self signed.

Note that if set, and certificates are set to be verified, trusted issuers must be provided, or no connections will be accepted.


Variable rsa

Crypto.RSA SSL.context.rsa

Description

The server's default private key

Note

If SNI (Server Name Indication) is used and multiple keys are available, this key will not be used, instead the appropriate SNI key will be used (the default implementation stores these in sni_keys.


Variable select_server_certificate_func

function(.context, array(string):array(string)) SSL.context.select_server_certificate_func

Description

A function which will select an acceptable server certificate for presentation to a client. This function will receive the SSL context, and an array of server names, if provided by the client. This function should return an array of strings containing a certificate chain, with the client certificate first, (and the root certificate last, if applicable.)

The default implementation will select a certificate chain for a given server based on values contained in sni_certificates.


Variable select_server_key_func

function(.context, array(string):object) SSL.context.select_server_key_func

Description

A function which will select an acceptable server key for presentation to a client. This function will receive the SSL context, and an array of server names, if provided by the client. This function should return an object matching the certificate for the server hostname.

The default implementation will select the key for a given server based on values contained in sni_keys.


Variable session_lifetime

int SSL.context.session_lifetime

Description

Sessions are removed from the cache when they are older than this limit (in seconds). Sessions are also removed from the cache if a connection using the session dies unexpectedly.


Variable sni_certificates

mapping(string:array(string)) SSL.context.sni_certificates

Description

A mapping containing certificate chains for use by SNI (Server Name Indication). Each entry should consist of a key indicating the server hostname and the value containing the certificate chain for that hostname.


Variable sni_keys

mapping(string:object) SSL.context.sni_keys

Description

A mapping containing private keys for use by SNI (Server Name Indication). Each entry should consist of a key indicating the server hostname and the value containing the private key object for that hostname.

Note

keys objects may be generated from a decoded key string using Standards.PKCS.RSA.parse_private_key().


Variable use_cache

int SSL.context.use_cache

Description

Non-zero to enable cahing of sessions


Variable verify_certificates

int SSL.context.verify_certificates

Description

Determines whether certificates presented by the peer are verified, or just accepted as being valid.